Geo-Location Processor and multiple IPs inf field

Hi all,
Will the built-in Geo-Location Processor work with ip fields that contain more than one address, such as http_xff field? eg:,,

I’m sure it did but doesn’t seem to working anymore.



If your messages contains two IP Addresses in the src_ip field I’m not sure.

These are private address GEOIP works with IP addresses outside your organization.

You can find more information here.

If your trying to find internal ip address sources you could use the source field and maybe some extractors/pipelines.

Hope that helps

Thanks gsmith. The 192.x.x.x in my first post were just examples. In the actual data, there is a public ip, then 2 aws ips (ecs host and elb). I have created an extractor that grabs the ip of interest and puts in its own field. I also have another extractor that does something similar for another type of message and that used to work, however lately it isn’t work either.

Processor order:
|1| AWS Instance Name Lookup
|2| Pipeline Processo
|3| Message Filter Chain
|4| GeoIP Resolver

config plugin:
Database type:
City database
Database path:

My understanding is that the extractors are part of the the filter chains and having the geoip plugin last, it should be able to detect the ip fields and do is thing?

many thanks


Try this order.


I’m also using GeoIP Plugin. Here is my overview.

Did you follow the documentation for GeoIP?

I can’t change the order of the processors because there is a pipeline that an extractor relies on. The xff field is in a json message (suricata) which is has a syslog prefix that needs to be removed so graylog can process the suricata message correctly (this is what the pipeline does), then an extractor processess the resulting json and it is consumed correctly by graylog.

Am i just doing this the hard way?


The that might be your problem, also

If you did this then the GeoIP pipeline might be not able to get the field below.




This post might be able to help.

If im using the geoip plugin in ’ Message Processors Configuration’ do I still need a pipeline to do the translation? I had thought if you configure the geoip plugin, you didn’t need a pipeline?

I guess I would need the pipeline to extract the json message from the syslog message (instead of an extractor doing), then apply the geoip to the custom field ```

in a later stage?

many thanks

You do, Please take a look at the documentation.

ALSO this post will help you.

EDIT: This is a good read also

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.